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Asset Management 


Comprehensive Sensors 


Qualys Sensors provide the most comprehensive approach to collecting all your asset 
and software inventory data. This lab provides an overview of the various Qualys 
Sensors, with some special attention given to the Qualys Cloud Agent. 


Scanner Appliance 


Qualys scanner appliances are available in three different varieties: 1) Internet-based appliances 
located within the Qualys Cloud Platform, 2) Physical appliances, and 3) Virtual Appliances. 


Any Qualys user with scanning privileges has access to Qualys' pool of Internet-based Scanner 
Appliances. These appliances are ideal for targeting and scanning other Internet-facing assets. 


Qualys physical and virtual scanner appliances can be deployed throughout your business or 
enterprise architecture. 


Citrix XenServer 

Microsoft Hyper-V 

VMware Workstation, Workstation Player, Fusion 
VMware ESXi, vCenter Server (standard) 
VMware vCenter Server (vApp) 

OpenStack 

Microsoft Azure 

Google Cloud Platform 


For a detailed discussion of Scanner Appliance deployment and usage, please see the “Scanning 
Strategies and Best Practices” training course (qualys.com/learning). 


Cloud Agent 


Qualys Cloud Agents install locally on the host assets they protect, sending all collected 
data to the Qualys Cloud Platform, for analysis. 


Qualys agents presently support various Windows, Mac, Linux, and Unix-based 
operating systems. 


Windows Linux Linux Linux 
exe (x86_64) rpm (x64) rpm (ARM64) deb (x64) 


@ é © © 


Linux Mac AIX BSD 
deb (ARM64) pkg (x64) bff .gz (Power5) txz (x64) 
yy yyy 
solaris solaris 
Solaris Solaris Linux PPC 64 LE Core OS 


pko 86.64 pkg (SPARC) rpm (ppesae tara (x64) 
For a complete list of supported operating systems, see the “Platform Availability 
Matrix” within the Cloud Agent Getting Started Guide: 

https://www.qualys.com/docs/qualys-cloud-agent-getting-started-guide.pdf 
Configure Agents for VMDR 
Multiple VMDR applications are supported by Qualys Cloud Agent: 

= CyberSecurity Asset Management (CSAM) 

= Vulnerability Management (VM) 

=" Security Configuration Assessment (SCA) / Policy Compliance (PC) 

= Patch Management (PM) 


These supported application modules must be activated for your VMDR host assets. 


Click the following URL to view the “Configure Agents for VMDR” tutorial: 


PLAY } LAB 1 - https://ior.ad/7SEb 


Activation Keys can be configured from the Cloud Agent application or the VMDR 
“Welcome” page. 


Upgrade Agents with Activation Keys 


VMDR requires the activation of a purpose-built engine for detecting missing patches for Cloud Agents. Select 
Activation keys which you want to upgrade for VMDR. All the agents associated with those keys will be upgraded. 


i— | Manage Cloud Agent Keys 1-2of 2 


=> WY MODULES AGENTS TAGS 


tt Unlimited Key 
Default VMDR Activation Key 

SCA | VM PM CSAM 
28f4b0cd-f622-42e0-a809-c12474161c3f sca | vm | PM | icsAM 


Minimum Module Activation Key Z Unlimited Key VMDR Lab 
549c7a3f-fc20-44bf-8c54-e74f234b95d8 


Upgrade Activation Keys to include the CSAM, VM, SCA, and PM application modules. 


Activation Key Tum help tips: On| Off X 


Edit the activation key 


An activation key is used to install agents. This provides a way to group agents and better manage your account. By default 
this key is unlimited - it allows you to add any number of agents at any time. 


Title VMDR Lab Activation Key 


Select | Create 


Provision Key for these applications 


CyberSecurity Asset Management Patch Management 
Activations managed by CSAM 115 Activations Remaining 


Vulnerability Management Policy Compliance 
15 Activations Remaining 15 Activations Remaining 


Secure Config Assessment 
15 Activations Remaining 


While VMDR includes the “Security Configuration Assessment” module (by default), 
agent Activation Keys can be updated to include Policy Compliance (PC) instead of SCA. 


Activation Key Tagging Strategy 


Asset Tags provide an effective way to assign your agent host assets to their appropriate 
configuration settings, assessment profiles, and patch jobs. 


Unlike dynamic tags, static tags “stick” to their host systems. Once a “static” tag is 
assigned to a target host, it will remain assigned to that host, until it is manually 
removed or replaced. 


The non-dynamic or predictable nature of a static tag makes it especially useful for 
tracking host assets that are installed from the same Activation Key. 


Activation Key Tum help tips: On | Off X 


Edit the activation key 


An activation key is used to install agents. This provides a way to group agents and better manage your account. By default 
this key is unlimited - it allows you to add any number of agents at any time. 


Title VMDR Lab Activation Key 


Select | Create 


VMDR Lab 
This static tag will identify 
agent hosts deployed with 
Provision Key for these applications this Activation Key. 


CyberSecurity Asset Management 


Patch Management 
Activations managed by CSAM 


115 Activations Remainin; 


Vulnerability Management Policy Compliance 


15 Activations Remaining D 15 Activations Remaining 


Secure Config Assessment 
15 Activations Remaining 


O Set limits 


Close Unlimited Key = 


The same Asset Tags that are assigned to agent Activation Keys can then be used to 
assign patching licenses to specific hosts and ensure agent hosts are correctly assigned 
to their appropriate Configuration Profile, Patch Assessment Profile, and Patch Jobs. 


For a detailed discussion of agent installation and configuration steps, see the “Cloud Agent” 
training course (qualys.com/learning). 


Passive Sensor 


Qualys Passive Sensor operates in “promiscuous” mode, capturing network traffic and 
packets from either a network TAP, or the SPAN port of a network switch. 


Physical 
1 Gbps sensor - up to 3K assets 
4 Gbps sensor - up to 15K assets 
10 Gbps sensor - up to 30K assets 


Virtual 


1 Gbps sensor - up to 3K assets 


Sensors deployed at lower layers of your network architecture (i.e., at distribution 
switches closest to LAN traffic) may require greater bandwidth capacity. 


Both physical (hardware-based) and virtual sensor appliances are available: 


Mirrored Traffic 
from Switch 


The Management Interface of the sensor appliance is assigned an IP address and must 
successfully connect to the Qualys Cloud Platform. 


The Sniffing Interface is not assigned an IP address and receives traffic from a network 
TAP or the SPAN port of a network switch. 


Cloud 


tT] 


Mirrored Traffic 
from Switch 


Physical 
Interfaces 


An important advantage to capturing network traffic, comes from the bonus 
information collected from network conversations (conversations between 
communicating hosts). 


Traffic Details 
From: May 10, 2019 (10:49) 


To May 20, 2019 (10:49) 


Traffic by Family 


V 


E Web Services 202 MB 
® Electronic Mail 7 MB 
@ Unassigned 4MB 
E other 2MB 


ËB IBM Systems.. 98KB 
13V 


Web Services 


May 20 2019 17:05 
May 20 2019 17:05 
May 13 2019 23:05 
May 13 2019 23:05 
May 13 2019 23:05 
May 13 2019 23:05 


May 13 2019 23:05 


192.168.249.103 0.0.0.0 
192.168.249.103 0.0.0.0 
192.168.248.157 0.0.0.0 
192.168.248.157 0.0.0.0 
192.168.248.157 0.0.0.0 
192.168.248.157 0.0.0.0 


192.168.248.157 0.0.0.0 


Client 


159me 


Total Ingress 


145.65 ME 


8.55 MB 
28.53 MB 
2.06 KB 
5.72 MB 
5.13 MB 
5.47 MB 


398.62 KB 


56uvs 


Total Egress 


52.29MB 197.94 MB 


2.43 MB 10.98 MB 
887.78 KB 29.4 MB 
538 B 2.58 KB 
4.27 MB 9.99 MB 
1.27MB 6.4MB 
1.44MB 6.91 MB 


369.26 KB 767.88 


A passive sensor not only collects the traffic from “managed” company assets, but it also 
sees traffic from other host assets and services that are attempting to communicate 
with your “managed” host assets (including communications coming from unknown or 
“unmanaged” assets). 


New assets typically appear in Qualys CSAM within 5-10 minutes. As more information is 
discovered it is aggregated across all assets and sent every 15 minutes. 


When your subscription is enabled for traffic analysis, summarized traffic information is 
sent to the Qualys Cloud Platform every 30 minutes for traffic analysis. 


Passive Sensor Deployment Scenarios 


There are different types of network environments and topologies where you may want 
to deploy passive sensor. When attempting to connect Passive Sensor to the SPAN port 
on a network switch, here are the different types of port mirroring options that can be 
used: 


1. Local SPAN 
Switch Port Analyzer (SPAN) mirrors traffic from one or more interfaces or VLAN 
to one or more interfaces on the same switch. This method is also called Local 
SPAN. In this scenario the sensor appliance is connected directly to one of the 
switch ports (i.e., passive sensor and switch are in the same location). 


2. RSPAN 
If your network has many Layer 2 switches then it may not be possible to do 
local mirroring on each Layer 2 switch and deploy multiple passive sensors 
connecting to SPAN port of each Layer 2 switch. To handle this situation, you 
need to use Remote Switch Port Analyzer (RSPAN) method to centralize the 
mirror traffic from various Layer 2 switches. RSPAN provides remote monitoring 
traffic from source ports distributed over multiple switches. It supports source 
ports, source VLANs, and destination ports on different switches. 


3. ERSPAN 
Some enterprises may have a requirement to passively monitor their networks, 
including those remotely located, and it may not be possible to install a sensor in 
each of the remote locations. To monitor traffic across a WAN or different 
networks, you can use Encapsulated Remote Switch Port Analyzer (ERSPAN). 


The ERSPAN feature supports source ports, source VLANs, and destination ports 
on different switches, which provides remote monitoring of multiple switches 
across your network. 


ERSPAN allows mirrored traffic to be encapsulated and transported over L3 
network to a remote destination. This requires that each location have switches 
having ERSPAN capability and the switches be configured to tunnel mirror traffic 
to a destination L3 switch/router interface. 


Please consult the PS Deployment Guide for more information on deployment scenarios 
and configuration steps. 


Network Passive Sensor User Guides 


@ Quqlys Community og raining Docs Support 


Search documentation qualys.com/documentation 


Sensors 


Cloud Agents 
Scanner Appliance 


Network Passive Sensor 


Online Help v Stay up-to-date with the latest 
CO SEN RGO sensor features and specifications. 


Physical Appliance User Guide 
Virtual Appliance User Guide 
Deployment Guide 

Release Notes 


Training 


Look for “Network Passive Sensor” User Guides (under Sensors) in the Qualys 
Documentation Community (qualys.com/documentation). 
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Cloud Connector 


Create connectors for your AWS, Google, and Azure accounts. 


w OO A 


Amazon Web Services Google Cloud Microsoft Azure 


Enumerate cloud instances and collect useful metadata such as: 
e Instance or virtual machine ID 


e Location or region 

e External and private IPs 

e Installed software and active services 
e and much more... 


Search Tip: Within the CyberSecurity Asset Management application, use the 
“inventory.source” query token, to quickly find AWS, Azure, and Google instances: 
e AWS-inventory.source: INSTANCE ID 


e Azure-—inventory.source:VIRTUAL MACHINE ID 
e Google-inventory.source:GCP INSTANCE ID 


Leverage Qualys Cloud Security Assessment (CSA), to identify and correct 
misconfigurations. 


Cloud Security Assessment Guide 


© Qualys ommunit Discussions Blog Training Docs Suppor 


Q. Search documentation qualys.com/documentation 


Cloud/Container Security 


Cloud Inventory 


Cloud Security Assessment 


Online Help 


API User Guide: HTML | PDF 


Release Notes 


Container Security 


Look for more information on Cloud Connectors, in the “CSA Getting Started Guide” on 
the Qualys Documentation Community (qualys.com/documentation). 
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Container Sensor 
Qualys Container Sensor is installed on a Docker host as a container application, right 


alongside other containers. 


Host / VM 


Once installed, CS will assess all new and existing Docker images and containers for 


vulnerabilities. 


= ER A 
() CJ 2 
Registry Build (CI/CD) 


General (Host) 


tar.xz 


tar.xz 


Types of Container Sensors: 
e General — Scan Docker hosts. 
Registry — Scan images in public or private registries. 


e CI/CD Pipeline — Scan images within CI/CD pipeline (e.g., Jenkins and Bamboo). 


For more information and details on deploying and using Qualys Container Sensors, see 
the “Container Security” training course (qualys.com/learning). 
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Container Runtime Security 

Qualys Container Runtime Security provides container runtime visibility and protection 
and allows you to create rules or policies to actively block or prevent unwanted actions 
or events within your container applications. 


@ 

@ 

@ 

@ 13u! 

@ 13u! 

@ 1əule1juoo 
@ 1Əu! 

@ 121 

@ ul! 

@ 


This is achieved by instrumenting images with Container Security components that 
gather functional-level, behavioural data about the processes running within a 
container. 

We use an application-native instrumentation process that provides complete visibility of 
the application inside the container. The instrumentation is very lightweight and 
provides configurable data collection options with low\no impact on application 
performance. 

Behavioural data is used by Container Security to monitor process activity, allowing you 
to apply security policies and custom security controls, to block specific events or 
attempted activities. 

Container Runtime Security (CRS) can be deployed for both on-prem and cloud 
container environments and is particularly useful for securing containers in a CaaS 
environment where the underlying host infrastructure is managed by a cloud service 
provider. 


Presently, the Container Runtime Security instrumenter supports the following registries 
for instrumentation: 


e Public registries: Docker Hub 


e Private registries: v2-private registry: JFrog Artifactory (secure: auth + https) 
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Container Sensor User Guides 


@ Quqlys. Community Discussions Blog Training Docs Support 


Q. search documentation qualys.com/documentation 


Cloud/Container Security 


Container Security 
ne Heig 


User Guide 


Look for Container Sensor User Guides on the Qualys Documentation Community 
(qualys.com/documentation). 
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CyberSecurity Asset Management 


The Qualys CyberSecurity Asset Management application collects raw data from Qualys 
Sensors and then adds its own categorization, normalization and enrichment 
information. 


Qualys provides Level 1 and 2 categories for Hardware, Operating Systems, and 
Software Application assets. 


Hardware Classification 


ww Search Token 


category (level1 / level2) Computer / Notebook hardware.category 
category (level1) Computer hardware.category.1 
category (level2) Notebook hardware.category.2 
full hardware name Dell Latitude e7470 hardware 
manufacturer Dell hardware.manufacturer 
product Latitude hardware.product 
model e7470 hardware.model 


The table (above) provides some useful examples of “hardware” tokens. 


To view all of the hardware categories in your account, group assets by hardware 
category (i.e., INVENTORY > Assets > Group Assets by... > Hardware > Category). 


Operating System Classification 


attribute examples Search Token 


category (level1 / level2) Windows, Unix, Linux, Mac, ... operatingSystem.category 
category (level1) Windows operatingSystem.category.1 
category (level2) Client operatingSystem.category.2 
full operating system name Windows 7 Enterprise (6.1 SP2) 64-Bit | operatingSystem 

publisher Microsoft operatingSystem. publisher 
name Windows 7 operatingSystem.name 
architecture 64Bit operatingSystem.architecture 
market version 7 operatingSystem.marketVersion 
version 6.1 operatingSystem.version 
update SP2 operatingSystem.update 
edition Enterprise operatingSystem.edition 


The table (above) provides some useful examples of “OS” tokens. 
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To view all of the OS categories in your account, group assets by operating system 
category (i.e., INVENTORY > Assets > Group Assets by... > Operating System > Category). 


Software Classification 


type Application, Driver, OS Update, Unknown software.type 
category (level1 /level2) Productivity > Productivity Suites software.category 
category (level1) Productivity software.category.1 
category (level2) Productivity Suites software.category.2 
full software name Microsoft Office 2016 (16.0.1.2) Professional 64-Bit software.name 
publisher Microsoft software.publisher 
product Office software.product 
architecture 64-Bit software.architecture 
market version 2016 software.marketVersion 
version 16.1 software.version 
update 16.1.1.2 software.update 
edition Professional software.edition 


The table above provides some useful examples of “software” tokens. 


To view all of the software categories in your account, group software by software 
category (i.e., INVENTORY > Software > Group Software by... > Category). 


Click the following URL to view the “Search Using Categories” tutorial: 


PLAY À LAB 2 - https://ior.ad/7SEE 
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Example Queries 


To build a dynamic tag for Windows-based systems, use the “Asset Inventory” rule 
engine with the following query: 


operatingSystem.categoryl:’Windows’ 


To build a dynamic tag for “Server” host assets, use the “Asset Inventory” rule engine 
with the following query: 


operatingSystem.category2:’Server’ 


To build a dynamic tag for Windows Servers, use the “Asset Inventory” rule engine with 
the following query: 


operatingSystem.category:Windows / Server 


The first value (Windows) is separated from the second value (Server) by the slash (“/”) 
symbol. 


Dynamic Rule-Based Tags 


Qualys CSAM provides multiple rule engines for creating dynamic Asset Tags. 
Asset Name Contains 
Asset Inventory 


IP Address In Range(s) 


IP Address In Range(s) + Network(s) 


Open Ports 
Cloud Asset Search 


Vuln(QID) Exist 


The “Asset Inventory” rule engine allows you to build tags using the Qualys Query 
Language and various query tokens, including the hardware, OS, and software category 
tokens. 


Click the following URL to view the “Dynamic Rule-Based Tags” tutorial: 


PLAY J Lab 3 - https://ior.ad/7SEK 
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Unidentified vs. Unknown 


The OS and Hardware values for some assets may be displayed as Unidentified or 
Unknown. This is especially common within the list of “Unmanaged” assets. 


Unidentified 


= Not enough data has been discovered/collected for Qualys to determine the 
hardware or operating system. 


= To reduce the number of unidentified assets in your account, attempt to 
perform scans in “authenticated” mode and ensure network filtering devices 
allow your scan traffic to pass. 


Unknown 


= Adequate data exists for Qualys to categorize the asset, but it has yet to be 
cataloged. 


= Assets are processed by Qualys labs for analysis and categorization. Qualys 
researchers review data and update the catalog daily. 
Managed vs. Unmanaged Assets 


With Qualys Passive Sensor, the CSAM application will help you to distinguish between 
1) Managed and 2) Unmanaged host assets. 


@ Qualys 


CyberSecurity Asset Management ` 


@ Assets Software 
Unmanaged @ 


1 54 TOP HARDWARE CATEGORIES 


Total Assets 


Managed assets in your account, will have known values for hostname, IP address, and 
MAC address. Newly discovered hostnames, IPs, and MAC Addresses will be initially 
labeled as new or “Unmanaged.” 


New data collected can potentially be merged with existing data only when: 
e Both IP address and MAC address have been successfully matched, or 
e Both IP address and hostname have been successfully matched. 


CSAM uses these combinations, plus operating system and time to uniquely identify 
assets. NOTE: A single asset can potentially have multiple interfaces. 
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CMDB Sync 


With the Qualys CMDB Sync App, your ServiceNow CMDB can serve as another source 
of data. Also, ServiceNow CMDB can benefit from Qualys categorization, normalization, 
and data enrichment. 


To work successfully, the app needs to be installed in Qualys and ServiceNow. Once 
installed, metadata can move in both directions. Asset metadata synchronization is 
performed for assets already in Qualys and ServiceNow, concurrently (i.e., not for new 
asset discovery). 


Business Context Attributes 


Automatically import business context attributes from ServiceNow CMDB. 


businessApp:(businessCriticality 


businessApp:(environment 
businessApp:(id 
businessApp:(managedBy 
businessApp:(name 
businessApp:(operationalStatus 


businessApp:(ownedBy 


businessApp:(supportGroup 


businessApp:(supportedBy 


Click the following URL to view the “Business Context through CMDB Sync” tutorial: 


PLAY J Lab 4- https://ior.ad/7SEX 
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To implement ServiceNow CMDB Integration, a Qualys subscription with API access is 
required, along with the following application modules: 


° CSAM 
° Vulnerability Management 
Qualys provides two apps for integrating Qualys with ServiceNow CMDB: 
1. Qualys CMDB Sync App 
° Install the Qualys CMDB Sync App (available in ServiceNow Online Store) 
2. Qualys CMDB Sync Service Graph Connector App 


° Install the Qualys Service Graph Connector App (available in ServiceNow 
Online Store) 


° ITOM Visibility license in ServiceNow 


The Qualys CMDB Sync Service Graph Connector App, requires ServiceNow “Orlando” 
version or later. 


© Qualys. ymmun Discussions log Training Docs Support 


qualys.com/documentation 


Cloud Apps 

IT Asset Management 
Global AssetView 
CyberSecurity Asset Management 
AssetView 
CMDB Sync 
Qualys CMDB Sync Service Graph Connector App 
Qualys CMDB Sync App 


Certificate Inventory 


Look for both CMDB Sync User Guides within the Qualys Documentation Community 
(qualys.com/documentation). 
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Asset Criticality Score 


With GAV/CSAM, you can apply tags manually or dynamically to host assets and you can 
configure an Asset Criticality score for any tag, which is applied to its assigned assets. 


You can set the asset criticality score between 1 to 5. Score 1 being the lowest criticality 
and 5 being the highest criticality assigned to an asset, when selected. 


Asset Criticality Score e 


This score represents the criticality of the asset to your business infrastructure. 


e@e Here, score 1 being the lowest criticality and 5 being the highest criticality assigned to an 
asset, when selected. 


[J O Ë] @ [°] ok ob) 
L j] 


CSAM automatically calculates the Asset Criticality Score of an asset based on its highest 
criticality score. 


@ Qualys 


CyberSecurity Asset Management `x HOME DASHBOARD INVENTORY TAGS NETWORK 
<== 


Managed x 


Asset Criticality Score 
The highest score assigned to the asset via multiple tags is the asset criticality score of the asset. 


Below are various scores assigned to the asset through multiple tags - 


Calculated as of Sep 17 2021 
] 2 1 K ASSET TAGS 


Total Assets 


ASSET CRITICALITY SCORE 


| Type: Servers 


| unauthorized... 


MANUFACTURER 


| webserver 
Unidentified 


VMware ASSET HARDWARE 
Google 


Amazon Web Ser. 


WIN-JK9PJO4FTHL HE Microsoft Windows Server... Amazon Web Ser 
192.168.0.115,fe80:0:0:0:18d3:7c58:5f..., v Datacenter6.1 SP1 64-Bit Cloud Instance 
06-59-OD-R6-R2-02 


Microsoft 


37 more ¥ 


In the example above the host is awarded an Asset Criticality Score of five (5). 


*Note that tag criticality score for system tags (e.g., Cloud Agent, Business Unit, etc...) 
will always be Null. 


The default criticality score for an asset is two (2), if it has no tag (with an Asset 
Criticality Score) attached to it. 
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Asset Group Tags 


Assets Groups configured with a Business Impact Score are mapped to their respective 
Asset Criticality Scores as follows: 


Business Impact Score Asset Criticality Score 


Critical 5 
High 4 
Medium 3 
Minor 2 
Low 1 


By default, a new Asset Group has a Business Impact Score of High. 
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Product Lifecycle Management 


End-of-life and End-of-support software and obsolete hardware increase risk to 
organizations. Organizations unable to get support can incur extended downtimes and 
technical issues that lead to decreased performance and productivity. EOL and EOS 
assets can also impact compliance objectives. 


Click the following URL to view the “Product Lifecycle Management” tutorial: 


[S 12 5- nos/ioraa/7sxe 


Hardware Lifecycle 


CSAM provides hardware vendor lifecycle dates and support details. CSAM has lifecycle 
information for hundreds of hardware manufacturers and thousands of models. Qualys 
continuously adds new hardware manufacturers, products and models to its catalog. 


@ Qualys. Cloud Platform 


CyberSecurity Asset Management v 


HOME DASHBOARD INVENTORY 


Managed Š Software 


hardware. lifecycle 


1 4 hardware.lifecycle.eos 


hardware.lifecycle.ga 


Total Assets hardware.lifecycle.intro 


hardware.lifecycle.obs 


hardware.lifecycle.stage 


You can use multiple search tokens in CSAM to quickly filter assets based on their 
hardware lifecycle information to identify assets requiring replacement or upgrade. 


IT can leverage end-of-life and end-of support dates to plan ahead for future 
procurement activity (e.g. technology refreshes, extended warranty and support, etc.) 
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OS & Software Lifecycle 


CSAM also provides software vendor lifecycle dates and support details, so that 
organizations can analyze how end-of-life and end-of-support software on their 
environment may pose risk and potential productivity impact (e.g. lack of patches, 
incompatibility with future OS/applications, etc.) 


@ Qualys. Cloud Platform 


CyberSecurity Asset Management ` DOM ERED A SLEC AR a NVENTORY 


Te [=e] ms cme Software 


X softwa re 


2 1 5 K software:(lifecycle.eol 


software:(lifecycle.eos 


Total Software software:(lifecycle.ga 


software:(lifecycle.stage 


You can use multiple search tokens in CSAM to quickly filter assets and software based 
on the software lifecycle information. 


@ Qualys. cloud Platform 


CyberSecurity Asset Management ` HOME DASHBOARD INVENTORY TAGS NETWORK RULES RESPONSES REPORTS 


Managed MASS software 


| X software: (lifecycle.eol: [now ... now+3M]) 


1 80 TOP SOFTWARE CATEGORIES TOP SOFTWARE PUBLISHERS. 


—— 
Appli .. Networking Network Appl. Digital Content on Mozilla 


Total Software 


LICENSE Group Software by... x | Type: Application v 1-50 of 68 


Open Source 
Commercial RELEASE CATEGORY LICENSE UFECYCLE INSTANCES 


OpenBSD OpenSSH Server Networking e GA: Oct 03 2017 
PLATFORM 7.6p1 Access Software -Clause EOL: Nov 03 202 
64-Bit 


Gaek OpenBSD OpenSSH Client Networking GA; Oct 03 2017 


7.6p1 Access Software EOL: Nov 03 202 


LIFECYCLE Python Application Development en Source GA: Dec 23 2016 
GA 3.6.9 Programming Languages EOL: Dec 23 2021 


AT&T graphviz Digital Content Open GA: Dec 20 2016 (estimated) 


Source 
END OF LIFE 2.40.1 Graphic and Image Eclipse Public License 2.0 (EPL-2.0) EOL: Dec 20 2021 (estimated) 


EOL within 3 mon. 


You can find out what software/OS is end-of-life or end-of-support now and within a 
future timeframe, so that you can assess impact and plan proper remediation (e.g. 
technology refresh, OS compatibly checks, budgeting, etc.) 


This gives IT teams some notice on when software updates are needed. You can also 
search on end-of-support. 
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Software Authorization Rules 


In CSAM, you can create different types of rules to define software authorization: 


Select Software 


Select the software to be included in the rule 


g Add Authorized Software @ 
©] Select applications, releases, publishers or categories that are explicitly authorized in this environment. (+) 


Add Unauthorized Software @ 


© Select applications, releases, publishers or categories that are explicitly unauthorized in this environment. (+) 
Needs Review © 

? á : 

©) Select applications, releases, publishers or categories that needs to be reviewed before marking as Authorized or @ 


Unauthorized. 


1. Authorized — software is authorized for use. 
2. Unauthorized — software is NOT authorized for use. 


3. Needs review — review is required to determine software authorization. 


Click the following URL to view the “Software Authorization” tutorial: 


Lab 6 - https://ior.ad/7SFq 


Rules are designed for specific groups of assets. For example, while browsers are 
commonly authorized for use on desktop and laptop systems, they add greater risk to a 
host and should NOT be authorized for production servers. 
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Software Version\Update Criteria 


Rules support criteria for software versions and updates. 


Select Software 


Select the software to be included in the rule 


Basic Information 
Select Assets 
Select Software 


Add Authorized Software o 


Review and Confirm 
0 Software selected 


PRODUCT PUBLISHER CATEGORY CRITERIA VERSIONS/UPDATES 

SQL Server Data... Microsoft Databases / RDBMS Above - Version Modify x 

Oracle Database Oracle Databases / RDBMS In Between - Version l x 
Modify 


Cloud Agent Qualys Security / Endpoint Managem..| Above - Update Modify x 


Each product can be configured to match against a specific Version or Version Updates. 


Modify Versions/Updates Scope 


Change the version to be included in the rule 


Universal Forwarder 


Data Management and Quality / Data Integration 


® Version Update 


Criteria 


Any 


Any 

Specific Versions 

In Between Versions 
Above 


Below 


Further, a user can configure rule matching under following categories for a single 
product: 


= Any Version (default setting) - Will apply the rule to all versions of the selected 
product. 


=" Specific Versions - Will apply rule to the selected subset of product's version. 


= In Between Versions - Will apply rule to versions of the product which have 
order between than the two selected versions. Please note that the selected 
versions are excluded in the matching criteria. 


= Above - Will apply rule to versions of the product which have version greater 
than the selected version. Please note that the selected version is excluded in 
the matching criteria. 


= Below - Will apply rule to versions of the product which have version less than 
the selected version. Please note that the selected version is excluded in the 
matching criteria 
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Rule Processing Requirements 
1. Host must have one or more Asset Tags * 
2. Host must have one or more installed software applications 
3. Software Rules match host assets based on specific applications/versions and 
Asset Tags included/excluded 


* For a new asset, software authorization rules won't be applied until tag evaluation and assignment is completed. 


HOME DASHBOARD INVENTORY TAGS NETWORK RULES RESPONSES REPORTS 
— 


Rule Processing Order 


[ocr | ES E 


ORDER NUMBER RULE STATUS SOFTWARE TAGS 


1 Database Servers Enabled 27 | Database Server 
Software Policy for Database Servers 


2 Web Server Enabled 7 | Webserver 
Software Policy for Web Servers 


3 Data Center Server Enabled 19 [ Type: servers 
Software Policy for All Servers 


4 Clients Enabled 7 | Type: clients 
Software Policy for Client OS 


Rules are applied on the basis of rule order precedence. Any Rule has precedence over 
the rules below it. Rule processing begins at the top of the rule list and ends when the 
first match is found. 


Software Authorization Tokens 


Once you have created one or more software authorization rules, search for 
authorized/unauthorized software using the “software authorization” tokens: 


e Authorized 


software: (authorization: ‘Authorized* ) 


e Unauthorized 


software: (authorization: ‘Unauthorized* ) | 


e Needs Review 


software: (authorization: ‘Needs Review‘) 


Query results can be viewed by software name or impacted assets. Alternatively, create 
a “software authorization” report (i.e., REPORTS section), using the “software 
authorization” tokens. 
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Reports 


Mandates like FedRAMP and PCI require you to track all assets and software, as well as 
continuously monitor their security gaps. With CSAM you can easily generate reports so 
you can demonstrate compliance. Reporting includes configurable out-of-the-box 
templates, for example to address FedRAMP requirements. You can also generate 
reports to provide information about your environment to internal or external 
stakeholders using our reporting function. 

© Qualys. cious piatrorm 


CyberSecurity Asset Management TRIAL HOME DASHBOARD INVENTORY TAGS RULES RESPONSES REPORTS 


Reports 


Create Report v Create Interactive Report 


2 REPORT NAME ‘Asset Details: CREATED BY CREATED ON TEMPLATE 
Software Details 
Total Reports FRIRANÐ: report trann3fq27 S September, 2021 FedRAMP Template 
= Compliance Report > 2 
Asset report trann3fq27 3 September, 2021 Asset Details 
test 04:26 PM 


Click the following URL to view the “Asset, Software, & Compliance Reports” tutorial: 


Lab 7 - https://ior.ad/7Rfd 


Asset Details Report 


This report shows asset inventory data for selected assets based on host information 
(attributes). 


< Create New: Asset Details 


STEPS 3/4 
Report Display 
Basic Details Select the columns you want to show in your report 
Report Source 
Report Display A Host Information Select All 
4 Summary 
Asset ID Sources Hardware Category1 
Asset Host ID Last Logged On User Hardware Category2 
Asset Name Bios Serial Number Hardware Manufacturer 
Asset Type Bios Asset Tag Hardware Product 
MAC Address Is Container Host Hardware Model 
IP Address OS Category 1 Hardware Product URL 
Asset Time Zone OS Category 2 Hardware Product Family 
Hardware OS Product Name Hardware Lifecycle Intro 
Operating System OS Publisher = 
Hardware Lifecycle GA 
NetBIOS Name OS Edition ate 
DNS Hostname OS MarketVersion arawan Lifecycle EOS 


Asset Agent Id OS Product URL. Hardware Lifecycle 


Obsolete Dat 
Asset Created Date OS Product Family cleo Dale: 


Hardware Lifecycle St 
Asset Last Updated Date OS GA Date lereeware:recysie stage 


Hardware Lifecycle 
Last VM Scan Date OS EOL Date Confidence y 
Last Compliance Scan OS EOS Date Inventory Date 
Date 


OS Lifecycle Confidence Location 
Bios Description 


OS Lifecycle EOL Support Location City 
Stage 


Last Boot Date 


You can select the asset scope for the report using asset name, asset tags or using 
queries. Once you create report, it shows 'Accepted' status. 


REPORT NAME CREATED BY CREATED ON TEMPLATE STATUS 


Asset Details Report trann3fq27 6 October, 2021 Asset Details Completed 
10:04 AM 


Once report execution is finished, it will show status as 'Completed' and you'll be able to 
download the report. 


The attributes selected in the report will become column headers in the CSV report. 
| Asset ID Asset Host II Asset Name NetBIOS Nar DNS Hostnai Asset Type MAC Address IP Address ‘Asset Time 2 Asset Agent Id Asset Created Asset Last 
153450468 146148757 trn-win2012-dc.t: TRN-WIN20! trn-win2012- HOST 00: :R2:C5: /64.41.200.249 07 Sep 2021 0:07 Sep 202. 
153468805 146148750 trn-win10-pro.trr TRN-WIN10- trn-win10-pr HOST 07 Sep 2021 0:07 Sep 202 
138428500 137932989 WIN2012R2-SVR WIN2012R2- WIN2012R2- HOST 08:00:27:45:F A -4277. 30 Jun 2021 04 23 Sep 202 
153071679 145888890 demo13.s02.sjc01.qualys.com demo13.s02. HOST Selected attributes are 05 Sep 2021 0.03 Oct 2021) 
91981880 112873109 demo15.s02.sjc01.qualys.com demo15.s02. HOST listed in column headers 13 Nov 2020 0 03 Oct 2021 
153429147 146148748 trn-win7.trn.qual TRN-WIN7 trn-win7.trn. HOST :50:56:B2:71:/64.41.200. 07 Sep 2021 0:07 Sep 202 


Software Details Report 


This report shows detailed report of the selected assets based on software and host 
information (attributes). 


Report Display 


Select the columns you want to show in your report 


A Software Information Select All 


Software Name Software Market Version Software Lifecycle EOS 
Support Stage 


Software Type Software Architecture 
Software Lifecycle Support 


Software Product Software Package Name Stage 


Software Version Software Support Stage Software License Category 
Description ⁄ 

Software Update Software License 
Software Lifecycle GA Date Subcategory 


Software Publisher Software Lifecycle EOL Software Instance Count 


Authorizati Date 
une penne Software Product URL 


Software Lifecycle EOS 


Software Product Family Date Software Formerly Known 


Software Category 1 Software Lifecycle Stage 


Is Software Package 
Software Lifecycle 
Software Category 2 Confidence Is Software Package 


Soft Ü Component 
oftware Component Software Lifecycle EOL 


Software Edition support siege: 


Host Information Select All 


Asset ID Sources Hardware Category1 
Asset Host ID Last Logged On User Hardware Category2 
Asset Name Bios Serial Number Hardware Manufacturer 


Asset Type Bios Asset Tag Hardware Product 
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Compliance Report 


This report shows detailed report of the assets for FedRAMP compliance based on 


software and host information (attributes). 


Software Information 


Software/ Database 
Vendor 


Software/ Database Name 
& Version 


Patch Level 


Function 


Host Information 


Qualys Unique identifier 
UNIQUE ASSET IDENTIFIER 
IPv4 or IPv6 Address 
Virtual 
Public 
DNS Name or URL 
NetBIOS Name 
MAC Address 
Authenticated Scan 


Baseline Configuration 
Name 


OS Name and Version 


Comments 
Software Lifecycle GA Date 


Software Lifecycle EOL 
Date 


Software Lifecycle EOS 
Date 


Location 

Asset Type 

Hardware Make/Model 
In Latest Scan 

Bios Asset Tag 

Bios Serial Number 
VLAN/Network ID 


System Administrator/ 
Owner 


Application Administrator/ 
Owner 


OS Lifecycle GA Date 


OS Lifecycle EOL Date 


Select All 


Software Lifecycle Stage 


Software Lifecycle 
Confidence 


Software Lifecycle EOL 
Support Stage 


Software Lifecycle EOS 
Support Stage 


Select All 


OS Lifecycle EOS Date 
OS Lifecycle Stage 
OS Lifecycle Confidence 


OS Lifecycle EOL Support 
Stage 


OS Lifecycle EOS Support 
Stage 


HW Lifecycle GA Date 
HW Lifecycle Intro Date 


HW Lifecycle EOS Date 


HW Lifecycle Obsolete 
Date 


HW Lifecycle Stage 


HW Lifecycle Confidence 


This report that satisfies your auditors without you having to manually extract and 
aggregate the data or push the data to a 3rd party and do manual scripting. This makes 
your job much simpler and quicker. 
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Interactive Report 


This report provides an interactive workflow and focuses on asset health issues instead 
of just inventory data. By correlating security gaps with asset context and business 
context, the Interactive Report will help you to “zero in” on the most critical asset health 
issues so that you can address them quickly. 


@ Quqlys. cloud Platform 


CyberSecurity Asset Management HOME DASHBOARD INVENTORY TAGS NETWORK RULES RESPONSES REPORTS 


Reports 


Create Interactive Report 


Click the following URL to view the “Interactive Report” tutorial: 


Er? Lab 8 - https://ior.ad/7Rfc 


After selecting one or more asset tags as your targeted assets, you are provided a 
summary of all assets that are in scope and the area of concern. 


< Interactive Report ##TA 


[intemetFacing...| x [[us-east-tag| x [Server] x | CioudAgent x [sensitive data x [Qscoemo x [O] 1-BU-NET-RDLABS.|..| x [Database Server 


Fog TOTAL INTERNET Wwe ASSETS WITH 1 
ASSETS 5.33K EXPOSED 1 1 9 SECURITY GAPS o% 13, 


Total Assets in Scope 
p Assets with one or 


Assets exposed to the more security gaps Breakdown by 
Internet security gap 


Internet Facing Assets 


Hosts with public interfaces are at greater risk because of their exposure to the Internet, 
especially with vulnerabilities that can be exploited without authentication. The risk 
becomes even more significant if the same host has unauthorized and EOL/EOS 
software. So, you need to have visibility into assets with such an exposure. 


From here, you can pivot further on assets of interest by applying various filters. The 
filter options are provided in three categories: 
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Business Context 

It’s important to consider the business impact of an asset when prioritizing assets for 
security gap analysis. Here, you can select Asset Criticality, Department and Asset 
Support Groups as filters. 


Business Context 


ASSET CRITICALITY — —_> 


o——_-0 


Most Critical Least Critical 


With the slider set to the position illustrated above, only assets with Criticality score of 4 
and 5 will be considered for the report. 


DEPARTMENT 


IT Operations DevOps Corp IT Customer Support 


ASSET SUPPORT GROUP 
DevOps Group IT Operations Corp IT 


Development Group 


Department and Asset Support Group filters are based on business information derived 
from CMDB sync and provide additional means to refine your asset scope. 


Asset Categories 

You can also use Level 1, hardware (server, desktop, mobile device, network device, 
etc.) and OS (Windows, Linux, Mac, etc.) category filters which gives the user an idea 
about the primary function of the product, to pivot on specific asset categories. The 
categories listed in the report are based on the assets that are mapped to the selected 
asset tags. 


Asset Categories 

HARDWARE * 
Cloud Instance (2.47K) Unidentified (2.24K) Server (445) Virtual Machine (135) 
Switch (9) Bridges and Routers (8) Unknown (7) Firewall Device (6) 
Server Load Balancer (4) Desktop (2) Network Attached Storage (NAS) Device (1) 


Terminal Server (1) 


0S * 


Linux (3.01K) Unidentified (1.22K) Windows (957) Unix (42) Firmware (38) 


Network Operating System (36) Virtualization (23) Mac (2) Filesystem Software (1) 


Unknown (1) 
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Security Gap 


And lastly, you can filter assets based on the security gap area such as EOL/OBS 
hardware, EOL/EOS software or OS and unauthorized software. 


Security Gap © 


Unauthorized Software 


EOS/EOL Software 


OBS/EOS Hardware 


EOS/EOL OS 


Once your filter options have been selected, click the “Generate Report” button. 


Generate Report 


The displayed assets and software will reflect the priority options you specify. 
(ssas 13) | software (110) ) 


authorized EOS Software FN EOL Software OBS Hardware EOS Hardware EOS os EOL > 
Software 


Q 


1-13 of 13 
SOFTWARE ISSUES 
ASSET ASSET CRITICALITY SYSTEM INFO OWNER LOCATION FOL/EOS UNAUTHORIZED 


10.11.71.33 John Doe 
Diaa E À Red Hat Enterprise Linux Server 5.7 Baoa CA, USA 


Administrators-Mac-mini.local 
710.113.198.215 


Apple macos Sierra (10.12.6) Joey Bolick 
a 
E Š apple Mac mini Mac mini (Late 2014) IT Operations onlsh 


Amy-pod1-quays-ia79-centos-azure E a The CentOS Project CentOS 7 (1804) Joey Bolick 


CA, USA 


10.950.151 Microsoft Azure B-series Standard_B1s IT Operations 


At the top, you can see a summary of count of assets or software instances (depending 
on whether you are in the Assets or the Software section of the result) with a security 
gap. Clicking on these cards/numbers filters assets/software as per the identified 
security gap. 
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Rule-Based Alerts 


Rule-based alerts provide ongoing detection, automatically triggering alerts for critical 
events based on real-time activity. This eliminates the need to manually search the 
same event or security gaps over and over by leveraging time-saving automation. 


In CSAM, you can configure rules to monitor critical events and define actions to send 
you alert messages if events/incidents matching the condition are detected. 


Click the following URL to view the “Rule-Based Alerts” tutorial: 


PLAY J Lab 9 - https://ior.ad/7Rfe 


You can set rules and create actions under the 'RESPONSES' tab. 
On the RESPONSES tab: 


1. Define Actions > Configure rule actions to specify one or more actions to be 
performed when events matching a condition are detected. You can set alerts to be 
sent by Email, PagerDuty, or Post to Slack. 


(@) Qualys. 


CyberSecurity Asset Management HOME DASHBOARD INVENTORY TAGS NETWORK RULES RESPONSES REPORTS 


Responses Activity Rule Manager | actions | 


ACTION NAME a ACTIVE RULES 


Alert Sec Ops Email: Trickbot Detection ai 1 
Alert on any Trickbot detections 


2. Set up your rules in the Rule Manager tab > Here you create a rule with a specific 
criteria and then determine a course of action for any instance that meet that the 
criteria. 


Let's say your goal here is to track all databases that are going to be EOS in 6 
months. You want some time to react and address the issue before they actually go 
EOS. 
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The QQL query to configure for this rule is: 
software: (categoryl: Databases` and component: “Server” 
and lifecycle.eos: [nowt+t179d ... now+180d] ) 


Using this type of alert, your security teams can always stay on top of EOL/EOS 
software in your environment. 


Rule Name * 


Rule to Alert for EOS Database 
Description * 


Email alert for upcoming Database EOS event. 


1956/2000 « 


Rule Query 
Provide a query to match particular source that will trigger the alert 


Rule Query * 


> software: (category1:‘Databases* and component: *‘Server* and lifecycle.eos:[now+179d ... now+180d]) @ 


Sample Queries 


Action Settings 
Choose an appropriate alert action 


Actions * 


Email Alert for EOS Database 


Email Alert for EOS Database 


Recipient * 


dbowner@qualys.com 


Currently CSAM only supports the single match that is one alert for one match. 


Asset Tokens 


CSAM also supports use of tokens within the message body which work as placeholders 
or variables for data values that populate when the search completes. You can include a 
variety of search tokens pertaining to asset search, cloud metadata search and 

others. All 3 action types (Email, Slack, PagerDuty) support the use of tokens. 
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asset.created 
asset.lastLoggedOnUser 
asset.lastUpdated 
asset.name 
asset.netbiosName 
asset.trackingMethod 
asset.lastLocation 
asset.criticalityScore 
asset.assetID 

hardware 
hardware.category 
hardware.category1 
hardware.category2 
hardware. lifecycle.eos 
hardware.lifecycle.obs 
hardware. lifecycle.stage 
hardware.manufacturer 
hardware.model 
hardware.product 
interfaces.address 
interfaces.gatewayAddress 
inventory.created 
inventory.lastUpdated 


inventory.source 


openPorts.firstFound 


openPorts.lastUpdated 


openPorts.port 
operatingSystem 
operatingSystem.architecture 
operatingSystem.category 
operatingSystem.category1 
operatingSystem.category2 
operatingSystem.edition 
operatingSystem.installDate 
operatingSystem.|lifecycle.eol 
operatingSystem.lifecycle.eos 
operatingSystem.lifecycle.stage 
operatingSystem.marketVersion 
operatingSystem.name 
operatingSystem.publisher 
operatingSystem.update 
operatingSystem.version 
software.architecture 
software.category 
software.category1 
software.category2 
software.edition 


software.installDate 


software.lastUpdated 
software.lastUseDate 
software.license.category 
software.lifecycle.eol 
software.lifecycle.eos 
software.lifecycle.stage 
software.marketVersion 
software.name 
software.product 
software.authorization 
software.publisher 
software.update 
software.version 
software.component 
software.firstFound 
tags.name 
volumes.free 
aws.ec2.availabilityZone 
aws.ec2.imageld 
aws.ec2.instanceState 
aws.ec2.instanceld 
aws.ec2.accountld 
aws.ec2.instanceType 


aws.ec2.launchDate 


aws.ec2.privatelpAddress 
aws.ec2.publicipAddress 
aws.ec2.region.code 
aws.ec2.subnetld 
aws.ec2.vpcld 
azure.vm.location 
azure.vm.name 
azure.vm.privatelpAddress 
azure.vm.publiclpAddress 
azure.vm.resourceGroupName 
azure.vm.size 

azure.vm,state 
azure.vm.subnet 
azure.vm.subscriptionld 
azure.vm.vmid 
gcp.compute.hostname 
gcp.compute.machineType 
gcp.compute.network 
gcp.compute.privatelpAddress 
gcp.compute.projectid 
gcp.compute.projectNumber 
gcp.compute.publiclpAddress 
gcp.compute.state 


gcp.compute.zone 


When a condition matching the rule is detected, the alert that is generated will include 
the asset name, asset criticality score, hardware category, OS of the asset, etc. 
depending on the tokens inserted in the message body. 


When a rule is triggered based on trigger criteria, CSAM will send to your configured 
account alerts that will have details of the events. 


xR | Al Unread YY Starred fa) Contact Y Tags 0 Attachment O Filter these mes Ctrl+Shift+K> 
t * Yo Subject 
° ITAM Alert MApper regression 
` ITAM Alert MApper regression 


= ITAM Alert MApper regression 


Correspondents Date 
3:25 AM 


noreply@qualys.com <noreply@qualys.com> 


noreply@qualys.com <noreply@qualys.com> 3:25 AM 


noreply@qualys.com <noreply@qualys.com> 3:25 AM 


= ITAM Alert MApper regression noreply@qualys.com <noreply@qualys.com> 3:25 AM 


` ITAM Alert MApper regression noreply@qualys.com <noreply@qualys.com> 3:25 AM 
> AWS Asset [Cloud Instance only] 
= AWS Asset [Cloud Instance only] 


° = ITAM Alert MApper rearession 


noreply@qualys.com <noreply@qualys.com> 3:17 AM 


noreply@qualys.com <noreply@qualys.com> 3:17 AM 


noreplv@qualvs.com <noreplv@aualvs.com> 2:56 AM 
© Reply — Forward | Archive | @) Junk 


From noreply@qualys.com <noreply@qualys.com> ¥¥ 


bject ITAM Alert MApper regression 
To Mev? 


Alert for Asset create and updated 
asset.assetID : 8779050 
asset.created 1622122157000 
asset.lastUpdated: 1626126913997 


The illustration above is for an email type alert action. 
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3. Monitor all the alerts in Activity Tab > Monitor alerts that were sent after the rules 
were triggered. Users can monitor all the action events in this tab. 


@ Qualys. cloud Platform 


CyberSecurity Asset Management ~ HOME DASHBOARD INVENTORY TAGS RULES RESPONSES REPORTS 


Responses | Activity | Rule Manager Anions 


9.02K 


Total Activities i 


14Jun 16 Jun 18 Jun 20.Jun 22 Jun 24 Jun 26 Jun 28 Jun 30 Jun 2Jul Jul 6 Jul Bul 10 Jul 12Jul 


RULE NAME 1-50of 9022 “B Ww 


Azure Assets 


pan anes, RULE NAME STATUS > ACTION MATCHES CREATED BY 
RegressionMapper 542 Operating System Mapper Regreesion Success Shashi 1 vi , 
Software Details 306 paisa ENEN 

Tag-Based Rule 290 isi 

45more ¥ OpenPort Last Updated Date Success OpenPort Email Notification 1 vi ' 


OpenPort Last Updated Date 22 minutes ago 


ACTION NAME 


Shashi 217K Operating System Mapper Regreesion Success Email-shashi 1 vi, ' 


Azure Asset 1.99K mapper 22 minutes ago 
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Vulnerability Management 


Qualys VMDR and CSAM provide numerous tools and features for working with 
vulnerabilities, including dynamic Widgets and Dashboards, search and query tools, and 
the “Prioritization Report.” 


CSAM 


While vulnerability findings can be viewed from multiple Qualys applications, 
CyberSecurity Asset Management also provides some response capabilities. 


When viewing asset details from within the CSAM application, vulnerability findings are 
initially displayed graphically. 


< Asset Details: ws2016dfw242 


Y INVENTORY inns i i ill- 
Vulnerabilities Point and click to drill down 
Asset Summary into vulnerability details. 
System Information Vulnerabilities by Severity 


S 


Open Ports 
Installed Software CONFIRMED VULNERABILITIES 


Traffic Summary 
40 Total 
Y SECURITY S Niy m s 
| 
VMDR Prioritization 
Patch Management 


Certificates 


Qualys severity levels rank the potential impact or outcome of a successful vulnerability 
exploit. A “Severity 5” vulnerability is the most urgent, while a “Severity 1” vulnerability 
is the least urgent. 


Specific vulnerability details can be quickly displayed with a click of your mouse. 
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Patches for selected vulnerabilities can then be added to a new or existing patch job. 


< Vulnerabilities 


vulnerabilities.severity:[5] and vulnerabilities. typeDetected: [Confirmed] 9 Vulnerabilities 


s Filters v 


91591 Microsoft Windows Security Update for December 2019 


( PatchNow v) 
Active I A 


91598 Microsoft .NET Framework Security Updates for January 2020 (Patch Now») 
Active 


100400 Microsoft Internet Explorer Remote Code Execution Vulnerability (AD... Add to New Job 


Active Add to Existing Job 
100402 Microsoft Internet Explorer Security Update for March 2020 VERMENG ener 
Active 


91609 Microsoft Windows Security Update for March 2020 Build Patch Jobs from 
Active Global IT Asset Inventory. 


PatchNow v) 


Microsoft Windows Securjty Update for Jupe 


In the CSAM application, patching and response tasks are performed “host-by-host.” To 
deploy patches pervasively (for a large number of assets), the tools in VMDR and PM 
provide a better solution. 


VMDR 


Once required assessment data is collected from Qualys scanners and agents, the 
VULNERABILITIES section of Qualys VMDR, displays your complete list of discovered 
vulnerabilities along with powerful search and query capabilities. 


Patch Jobs can be quickly and conveniently created for a specific list of high-risk 
vulnerabilities and assets, allowing you to deploy patches, based upon the 
vulnerabilities they actually fix. 


Click the following URL to view the “Vulnerability Findings” tutorial: 


Er? Lab 10 - https://ior.ad/7SGa 
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After selecting one or more patchable vulnerabilities, click the “View Missing Patches” 
option, to build the list of required patches that are missing. 


@ Quqlys Cloud Platform 


VMDR TRIAL DASHBOARD VULNERABILITIES PRIORITIZATION SCANS REPORTS 


Vulnerabilities 


Vulnerability vulnerabilities.vulnerability.qualysPatchable:TRUE 


66 Asset tags.name:'Cloud Agent’ and activatedForModules:PM 


Total Detections 


[Z] Actions (50) ma) Asset Group by... v $2 Filters v 
=> View Missing Patches 


372508 Oracle Java SE Critical Patch Update - April 2020 


Active 


374827 Mozilla Firefox Multiple Vulnerabilities (MFSA2021-01) 
Active 


CATEGORY 


Local 


Mozilla Firefox 


Not all vulnerabilities are patchable. Patchable vulnerabilities must meet the following 
conditions: 


e Detected vulnerabilities must be associated with one or more patches found in the 
PM Patch Catalog (vulnerabilities.vulnerability.qualysPatchable:TRUE). 


e Detection Host must be running the Qualys Cloud Agent (tags.name:’Cloud Agent’). 
e Cloud Agent must have the PM module activated (activatedForModules:PM) 
The Qualys Cloud Agent performs the “Patching” function for the Qualys Platform. 
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Dashboards & Widgets 


Continuously monitor assets and vulnerabilities with any number of “out-of-box” 
Dashboards or build your own custom Dashboards and Widgets. 


@ Quolys Cloud Platfor 


< Dashboard Templates 


Add or Customize Dashboard templates 


oR + Build from Scratch 


TFI 


< CSAM (4) Policy Compliance (1) Unified Dashboard (35) VMDR(16) Web Application Firewall (1) File Integrity Monitoring (6) EDR (5) Container Sec 
RansomWare (RW) Attack Ve... : Policy Compliance RansomWare (RW) Exposure 


Patch Efficiency - VULNs Sev... 


Baron Samedit|Heap-basedb.. : 


esha Nts 
ane EOL/E0S 


Ta ast e ae morgen ia 
to you 


ick for vulnerabiliti rity 35 
This dastboerd shows Patch Eile ney a ul. 


Created By: Qualys Created By: Qualys Created By: Qualys 
— 


sae meaa i eat aaa ma a 


Click the following URL to begin the “Dashboards & Widgets” tutorial: 


Lab 11 - https://ior.ad/7SGe 


Widget Types 


Widgets are designed to display query results graphically. There are four different 
graphic options: 


1K PA dl y 


Table Column 
enn 


Widgets are automatically updated to reflect changes in your asset data and findings. 
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The “count” widget can be configured to change color, as changes to assets and 
vulnerability findings reach specific thresholds or special conditions. 


GH SEVERITY vULNERABIL TIES 


Choose a base color for the widget. This cake wil >e dopiayed by defauk It no 
rubes are wet 


Set Sose Color E- 


Vhen diced rigai % the targeted vuherasifties search (pouped) 


When (= yi e of thre < 


” 
greater than 50% highhghtin 


+ Ade another rule 


A superset (contains sf the assets from inital query 


A “reference” query in the count widget, is useful for comparing the “initial” query’s 
result set to some type of control or benchmark. The difference between the result sets 
of both queries is represented as a percentage. 


In the example above, HIGH severity vulnerabilities (Sev. 3, 4, 5) are presently about 
94% of ALL vulnerabilities (Sev. 1, 2, 3, 4, 5). The “count” widget is configured to change 
from its base color to red, when this percentage is greater than 50 percent. 
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Count widget types have the option to Enable Trending. When enabled, widgets can 
store trend data for up to 90 days. 


@ Qualys. 


< Edit Widget (VM) 


Query 1 


Vulnerability w | X vulnerabilities. status:REOPENED © 


Compare with another reference query 


Query 2 


Vulnerability | X vulnerabilities.status:[NEW, ACTIVE, REOPENED] @ 


Additional Options 
Enable Trending 


This widget will store its results each day for up to 90 days. The results will be plotted on 
a graph so that the data may be analyzed to identify trends. 


Atrend line plotted on a graph will be added to the other information normally 
displayed in the widget. 


2021 


539 


139.56% 


showing last 91 days H 


7/13 Today 


The graphic perspective provided by the trend line will make it easier to visualize swings 
in momentum and to anticipate critical thresholds and milestones. 
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You can add one or more Asset Tags to a Dashboard through the Dashboard Editor. 


Edit Dashboard 
How do you want to edit this dashboard? 
Name * 


Vulnerability Management 


Show description on dashboard 


Set as default dashboard for this module 


Share/Categorize with following tags RemoveAll @ 


| Default Dashboard... x <= 


Cancel 


Add Widget 


The “Default Dashboard Access Tag” is created by Qualys. 


User Edit: Bob Slydell (quays2bs38) 


Edit Mode Edit role(s) and scope 


User Details C Allow user full permissions and scope (The user will have full access to everything) 


Each role grants you a set of permissions that will apply to the objects you have access to. 
Profile Settings 


New role 
Roles And Scopes 

Assigned roles Remove all * Unassigned roles ‘Add all — 
Action Log AUDITOR Remove ADMINISTRATOR Add 
‘Account Activity CAAPI Access Remove CLOUDVIEW User Add 


'emovo CONTACT 


Edit Scope 
C Allow user view access to all objects (Other permissions are granted by the user's roles) 


Define what assets the user can access by tags. 
Global Scope Select | Create | Remove All 


Detault Dashboard. <= 


C Exclude Agent assets from IP Range Tags 


Share dashboards with other Qualys users by assigning “dashboard” tag(s) to their 
accounts. 


For more information and details on Dashboard and Widget capabilities, check-out the 
Qualys “Reporting Strategies & Best Practices” training course (qualys.com/learning). 
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Threat Detection & Prioritization 


Use the VMDR Prioritization report to automatically prioritize the riskiest vulnerabilities 
for your most critical assets — reducing potentially thousands of discovered 


vulnerabilities, to the few that matter. 


VMDR Threat Feed 


The Threat Intelligence Feed provides a key element to the Prioritization Report. Focus 
remediation efforts on high-severity vulnerabilities with known or existing threats. 


© Qualys. 


VMDR v 


Prioritization 


DASHBOARD VULNERABILITIES 


GOIO Threat Feed 


PRIORITIZATION 


Search for threats by 
category, content, or 
publish date. 


KNOWLEDGEBASE USEI 


T—] 


V Impacted Assets 


| High 


BB High 


HIGH RATED FEED 429 


Microsoft Windows security update for October 2021... 


Live Threat Intelligence Feed Microsoft October 2021 patch Tuesday has 
arrived with the latest updates! In this month's security update , Microsoft 
has fixed a total of 74 flaws including four zero-day vulnerabilities. Out o. 


2days ago 07:00pm vy = 


B Low 


6 


MEDIUM / LOW RATED FEED 59 


Backdoor Account in Zyxel Products (CVE-2020-29583) 


Live Threat Intelligence Feed On December 23rd, 2020, Zyxel published an 
advisory for a hardcoded credential vulnerability. More than 100,000 Zyxel 
firewalls, access point controllers and VPN gateways are prone to this. 


* FAVORITES 5 


January 3,2021 fy = 


E High 
Microsoft Windows N 
Live Threat Intelligence F 


zero-day remote code exel 
component of the Internet 


Apple releases emergency update to address the arbitrar... 


Live Threat Intelligence Feed On Monday, Apple released an iPhone 
security update to fix a major vulnerability that is being exploited in the 
wild. With the latest patch, the corporation has now resolved a total of 1 


3 days ago 07:00pm fy = 


Click to view impacted assets 
within your subscription 


Ise issued a security 
severity in Pulse 
E-2020-8260 was. 


| High 
Most Exploited Vulng 
Live Threat Intelligence Fi 


Infrastructure Security re 
Security Centre (ACSC), th 


0 hau las 0 


This Threat Intelligence Feed is provided by Qualys Threat & Malware Labs, along with 
several other exploit and malware sources. 


Other Threat Feed Sources 


Exploit Sources 


Source Type Data Type 


Malware Sources 


Source Type 


Core Security 


PoC Exploits mapped to CVEs Reversing Labs 


Exploit-DB 


PoC Exploits mapped to CVEs 


CVEs associated with 
malware 


Trend Micro 


Metasploit 


PoC Exploits mapped to CVEs 


Malware names 
associated with CVEs 


Contagio Dump 


Immunity 

- Agora 

- Dsquare 

- Enable Security 

- White Phosporus 


Google Project Zero 


Exploit Kits mapped to CVEs | McAfee 


Ransomware mapped to 
CVEs 


PoC Exploits mapped to CVEs 


* Qualys Threat Protection leverages 
exploit and malware data from 
multiple sources. 


Zero-Days mapped to CVEs 
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Prioritization Report 


By correlating vulnerability information with threat intelligence and asset context, The 
Prioritization Report will help you to “zero in” on your highest risk vulnerabilities and 
quickly patch them. 


The VMDR Prioritization report : 
e Guides you to target and quickly patch your highest risk vulnerabilities. 
e Helps you find the specific patch to fix a particular vulnerability. 


e Allows you to quickly identify and remediate the vulnerabilities that are most 
likely to get exploited. 


e Empowers security analysts to pick and choose the relevant threat indicators for 
your specific and unique organization. 


e Provides an integrated workflow that reduces the time between vulnerability 
detection and patch deployment. 


Click the following URL to begin the “VMDR Prioritization Report” tutorial: 


PLAY J Lab 12 - https://ior.ad/7SH3 


After selecting one or more Asset tags to specify report context, prioritization options 
are provided in three categories: 


Age 


Prioritize vulnerabilities by their age. Detection age is the number of days since the 
vulnerability was first discovered (e.g., by a scanner or cloud agent). The “Vulnerability” 
option will distribute vulnerabilities by actual or KnowledgeBase age. 
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Real-Time Threat Indicators (RTI) 


Prioritize vulnerabilities by their known and existing threats. 


Real-Time Threat Indicators (RTI) © Match All ` 


POTENTIAL IMPACT 


High Data Loss (36) High Lateral Movement (33) Wormable (0) 


Denial Of Service (30) Patch Not Available (19) Privilege Escalation (19) 


Unauthenticated Exploitation (0) Remote Code Execution (36) 


ACTIVE THREATS 


Active Attacks (17) Malware (12) Zero Day (0) Public Exploit (11) 


Predicted High Risk (13) Exploit Kit (0) Easy Exploit (19) 


Combine multiple threat indicators, using the “Match Any” or “Match All” operators. 
Current Real-time Threat Indicators are: 


High Data Loss - Successful exploitation will result in massive data loss on the host. 


High Lateral Movement - After a successful compromise, attacker has high 
potential to compromise other machines in the network. 


Denial of Service - Successful exploitation will result in denial of service. 
Patch Not Available - Vendor has not provided an official fix. 


Privilege Escalation - Successful exploitation allows an attacker to gain elevated 
privileges. 


Unauthenticated Exploitation - Exploitation of this vulnerability does not require 
authentication. 


Remote Code Execution - Successful exploitation allows an attacker to execute 
arbitrary commands or code on a targeted system or in a target process. 


Actively Attacked - Active attacks have been observed in the wild. This information 
is derived from Malware, Exploit Kits, acknowledgment from vendors, US-CERT and 


similar trusted sources. 


Malware - Malware has been associated with this vulnerability. 
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Zero Day - Active attacks have been observed in the wild and there is no patch from 
the vendor. If a vulnerability is not actively attacked this RTI will not be set (even if 
there is no patch from the vendor). If a patch becomes available Qualys will remove 
the Zero Day RTI attribute. 


Public Exploit - Exploit knowledge is well known and working exploitation code is 
publicly available. This attribute is set for example when PoC exploit code is 
available from Exploit-DB, Metasploit, Core, Immunity or other exploit vendors. 
While potentially increasing the probability of attack, this RTI does not necessarily 
indicate that active attacks have been observed in the wild. 


Predicted High Risk - Leverages machine learning to determine if a presently non- 
exploited vulnerability should be prioritized. 


Easy Exploit - The attack can be carried out easily and requires little skills or does 
not require additional information. 


Exploit Kit - Exploit Kit has been associated with this vulnerability. Exploit Kits are 
usually cloud based toolkits that help bad actors to identify vulnerable 
browsers/plugins and install malware. Search for Exploit Kits by name like Angler, 
Nuclear, Rig and others. 


Wormable - The vulnerability can be used by “worms” — to spread without user 
interaction. 


Solorigate Sunburst - Solorigate Sunburst has been associated with all the CVEs 
used by FireEye's Red Team tools to test the security of their client environments 
and compromised versions of SolarWinds Orion. 


Ransomware - This vulnerability has been exploited in attack vectors where 


ransomware has been deployed. In other words, this vulnerability is associated with 
known ransomware. 
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Attack Surface 


Attack Surface options provide additional context for the assets in the Prioritization 
Report. 


Attack Surface © 


Running Kernel 

Running Service 

Not Mitigated by Configuration 
Remotely Discoverable Only 


Internet Facing Only 


Use Attack Surface options to further refine the context already provided by the 
included Asset Tags. 


Running Kernel - It's possible that multiple kernels may be detected on the same Linux host. Toggle this filter On to filter out 
kernel-related vulnerabilities that are not exploitable because they were found on a non-running kernel. 


Running Service - Toggle this filter On to filter out service-related vulnerabilities that are not exploitable because they were 
found on a non-running port/service. 


Not Mitigated by Configuration - We may detect software on a host that is considered vulnerable, however there's a specific 
configuration present on the host that makes it not exploitable. Toggle this filter On to filter out config-related vulnerabilities 
that are not exploitable due to host configuration. 


Remotely Discoverable - Only Toggle this filter On to only include vulnerabilities that can be detected by a scanner using 
remote (unauthenticated) scanning. 


Internet Facing Only - Toggle this filter On to include assets with IP addresses that could be exploitable. Our system tag 
named Internet Facing Assets includes a range of pre-defined IP addresses. We automatically tag assets that matches this 
pre-defined IP address range in the tag. 


To view the complete range of IP addresses that are included in the Internet Facing Assets system tag, go to AssetView app, 


navigate to Assets > Tags and then select Internet Facing Assets tag. From the quick-action menu, select View and then click 
Tag Rule in the View mode to view the complete list of IP addresses defined in the tag. 


Once your priority options have been selected, click the “Prioritize Now” button. 


Prioritize Now 


The displayed assets, vulnerabilities and patches will reflect the priority options you 
specify. 
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< VMDR Prioritization 


Prioritized Assets © Prioritized Vulnerabilities © Available Patches © 
80% © Instances 28.51% © Unique © 
Ce AJ ee 
of 15 of 651 
PetchNow v 
——— < 
Ç, Vulnerabilities | Patches | Asses o) 
Deploy all patches. 
Vulnerability w Q Search... 
Group By: Vulnerability v 1-50of 114 
Deploy patches 
(CVE-2017-3167 Apache httpd Server ap_get_basic_auth_pw() Authentication Bypass Vulnerability individual ly. Now 
CvE2017-13886 "PPA F ` š r 
+ Apple macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan N.. 370677 3 Patch Now 
E Apple macOS High Sierra Supplemental Update / Safari 11.0.2 update (Spectre) 370716 3 Patch Now 
ove-2017-5708 š š š š 
19,13.3, Security Update 2018-001 Sierra, and Security Update 2018-001 El Capitan N.. 370738 


As you continue to make adjustments to the priority options, the displayed 
vulnerabilities and patches are automatically adjusted. Patches can be deployed 
individually or all at once. 


Zero-Touch Patch Jobs 


Select the “Zero-Touch Patch Job” option from the VMDR Prioritization Report. 


€ VMDR Prioritization (C Export to Dashboard `) ( Save& Download ) 


Prioritized Assets © Prioritized Vulnerabilities © Available Patches © Details 
O 100% (352) Instances 21.86% © Unique © 
of total oftotal 
of 6 of 1.61K 


Zero-Touch Patch Job © 


Vulnerabilities | Patches | Assets 
Windows Patches 82 
View Missing Windows Patches 
Patch we | Gy Linux Patches 15 re) 
View Missing Linux Patches 
Group By: ne ` I-5Uor 97 Ç & 


e Automates the selection of patches for recuring deployment jobs 
e Patches are selected using QQL 


e Patches meeting the query condition are included in scheduled deployment jobs 
(daily, weekly, monthly) 


Click the following URL to begin the “Zero-Touch Patch Job” tutorial: 


Lab 13 - https://ior.ad/7SHc 
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Patches will be expressed as query conditions. 


[Create: Windows Deployment Job 


| 
| STEPS 4/9 
Select Patches 


| Basic Information 
I Choose the patches you want to install for the selected assets or create a query to automate the job. 
I 


Select Assets 


Select Pre-actions Manual Patch Selection » Automated Patch Selection 


Select manually from the available list of patches. Define QQL to automatically identify patches to remediate current and future vulnerabilities every time 


Select Patches the job runs. 


5 Select Post-actions vulnerability 


X- (wulnerabilities.vulnerability: (threatIntel.malware:True or threatIntel.activeAttacks: /? @) 


6 Schedule 
Note: For optimum performance, only missing and non-superseded patches that match the QQL criteria will be added to the job. 


7 Options 


The query is generated from the options (Age, RTIs, and Attack Surface) selected in the 
Prioritization Report. 


Export to Dashboard 
Export the results of any VMDR Prioritization Report as a Dashboard Widget. 
< VMDR Prioritization CED eoon) 


Prioritized Assets © Prioritized Vulnerabilities © Available Patches © 


80% Instances 21.51% Unique 
of total of total 


of 15 of 671 


Results will be continuously updated within the Widget. 


VMDR » DASHBOARD VULNERABILITIES PRIORITIZATION SCANS REPORTS REMEDIATION ASSETS KNOV 


VMDR Sample ~ 


> Last30Days v © er 
Export and monitor “Prioritization 
PATCHES BY STATUS WORMABLE VULNERABILITIES Report” as a Dashboard Widget. 


Prioritized Assets Prioritized Vulnerabilities Available Patches 


Instances Unique 


12 185 | am 114 | 37 


of 15 of 671 


) 
Failed SuccessAIread. 


ASSETS MISSING PATCHES BY PLATFORM MISSING PATCHES BY VENDORS 
lB Microsoft. IB Microsoft 1376 
\ © Microsoft...6 W mape 5 
IB Microsoft..6 @ SunMicr.. 5 


B Microsoft..4 W Adobe 4 
lB Microsoft..3 © Oracle 3 
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Patch Management 


Along with the help of Qualys Cloud Agent, the Patch Management application provides 
the patch response functionality in VMDR. 


Deployment Job 


While a patch assessment is useful for providing a list of “installed” and “missing” 
patches, “Deployment Jobs” perform the tasks of actually installing patches to host 
assets. 


Click the following URL to view the “Patch Deployment Job” tutorial: 
[S i014- neosior 7st 


Before creating any job, you’ll need to add “patchable” agent hosts to the “Licenses” tab 
(within the CONFIGURATION section of the Patch Management application). 


Patch Management DASHBOARD PATCHES ASSETS JOBS CONFIGURATION 
Configuration u Licenses 
License Consumption 


Patch Management Total Consumption 


Type: TRIAL l] 
Expiring in: 24 days on 12 Sep, 2020 18:59 PM Status: Active 


100% 


License Details 


Licenses Purchased Licenses Used 
10 2 


Select assets for patch management 
Select asset tags to include or exclude for patch management. Total Consumption counter shows the number of licenses used 
based on the number of matching assets contained in the included asset tags. 


Include Assets Tags Select Tags 
| PMLab x 


Add Exclusion Asset Tags 


Use Asset Tags to include host assets for license consumption. The “Total Consumption” 
indicator is updated with the number of agent hosts labelled with the tag(s) included. 


52 


Create Deployment Job 


You can create a “Deployment Job” for agent host assets that are missing patches. 


Patch Management DASHBOARD PATCHES ASSETS CONFIGURATION 


<p Deployment Job, 
Uninstall Job wy 


While it is common to build a job from the JOBS section (of the PM application) jobs can 
also be created within the PATCHES and ASSETS sections. 


Select Assets 


Select the assets you want this job to deploy patches on. 
Include the following assets. Select Assets 


| eczamaz-eyur25m x | ws2016DFW210 x 


Include hosts that have Any » of the tags below. Select Tags 
Any 


l PMLab x | Weekly x All Any == OR 


All == AND 


You can add assets to a job by Host Name or by Asset Tag. If you include more than one 
Asset Tag, be sure to select an appropriate Boolean operator (i.e., Any or All). 


Run a PowerShell script or install software, before the patch job begins. 


Select Pre-Actions Configure action 
an ! to execute before 
job starts 


° 


Run a PowerShell 


script or install 
software 


Additionally, Post-Actions can be configured to execute at the completion of the patch 
job. 
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Use the “Manual Patch Selection” option to select patches individually from the Patch 
Catalog. 


Use patch Select patches 
selector using QQL query 
STEPS 4/9 

Select Paiches 
Basic Information 

Choose tie patches you want to install for the selected agstts or create a query to automate the job. 
Select Assets 
Select Pre-actions @ Manual Patch Selection Automated Patch Selection 

Select manually from the available list of patches Define QQL to automatically identify patches to remed 

Select Patches the job runs 


s Select Post-actions 
é Schedule 


? Options Take me to patch selector 


9 Confirmation 


By default, the “Patch Selector” displays patches that are “Within Scope” of the host 
asset(s) your job is targeting. 


isSuperseded: ‘false* <= 


All | 1-13of 13 


Security Cumulative... MS20-08-W10-.. KB4571694 CVE-2020-1509 
Published on Aug 10, 20. 230 more. 81 more 


Security Cumulative.. © MS20-08-W10-.. KB4565349 CVE-2020-1509 
Published on Aug 10, 20 101 more 89 more 


Servicing stack upd... MS20-08-SSU-.. KB4566424 


bed ona 


For greater patching efficiency, consider selecting patches that have NOT been 
superseded (“isSuperseded:false”) to eliminate older, redundant patches. Patches that 


I 
display the O symbol will require a reboot. 
If you attempt to add patches (to an existing job) that are already included, you will 
receive a warning message similar to the one below: 


1 or more patches listed below are already part of the selected job(s) or you might have exceeded the 
@ maximum number of patches per job. Continuing will not add these repeated patches in the respective 
job(s). 


A PatchNow_1596824962760 


Duplicate patches will not be added to a job. 
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Alternatively, with the “Automated Patch Selection” option, patches can be selected 
using a query. 


Select patches 
using QQL query 


€ Create: Windows Deployment Job wr 


STEPS 4/9 
Select Patches 


Basic Information 


Choose the patches you want to install for the selected/assets or create a query to automate the job 
Select Assets 
Select Pre-actions Manual Patch Selection @ Automated Patch Selection 
Select manually from the available list of patches Define QQL to automatically identify patches to remed 
Select Patches the job runs 
5 Select Post-actions ' 
— — Patch v |  vendor:Microsoft and vendorSeverity:Critical 
+ Schedule 
Note: For optimum performaps only missing and non-superseded patches that match the QQL criteria will be adde 


Options 
Job Access 


$ç Confernation 


Use a query to 
select patches 


One or more conditions within the query will decide which patches get included in the 
job. 


You can run jobs on demand, or you can schedule your jobs to run at a future date and 
time. 


Schedule Deployment 


Schedule the deployment job to run on demand or in the future. 


[on Demand EEO Schedule: Schedule the deployment job to run at a set time. 


START DATE START TIME 
08/01/2025 EFJ Recurring Job 


REPEATS START TIME 


Daily 12:00am 


Daily 
Timez Weekly 


Byde Monthly igent timezone. Set timezone 


Schedule jobs to run once, or to recur on a daily, weekly or monthly basis. 


You have the option to configure a “Patch Window” (i.e., “Set Duration” option), to 
restrict patching to a specific time frame. 
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Patch Window 
You can configure a patch window to run the deployment job only within a particular time 
frame. 


None (@ Set Duration <= 


Note: Setting this will restrict the agent to complete the job within the specified patch window (e.g., 


start time + 6 hrs). The job gets timed out outside this window. 
Patch Window 


6 Hours 


A host will display the “Timed out” status, if its installation does not start within the 
specified patch window. All other hosts that started within the specified window, will 
be allowed to finish. 


Select the “None” option to give Cloud Agent as much time as it needs to start and 
complete the job. 


The Deployment and Reboot Communication Options, allow you to specify the type of 
“pop-up” messages end-users will receive, before, during and after job deployment. 


Pre-Deployment => €D 
Display message to users before patch deployment starts. 
(If no user is logged in, deployment process starts per job schedule) 


TITLE 


Pre-Deployment 


MESSAGE 


Patching is about to begin. 


DEFERMENT: NUMBER OF DEFERMENTS: 


Remind againin | 1 Hours 3 times 


The “Deferment” settings provide active end-users the option to postpone the start of a 
job and to postpone a system reboot (if required). 


Reboot Request => €D 


Show a message to users indicating that a reboot is required. 
(If no user is logged in, the reboot will start immediately after patch deployment) 


TITLE 


Reboot Request 


MESSAGE 


Please reboot your system, to complete patch deployment. 


DEFERMENT: NUMBER OF DEFERMENTS: 


Remind againin 1 Hours 3 times 


If no user is logged-in, patching will begin as scheduled and rebooting will start 
immediately following patch deployment. 


Additional Job Settings 


Enable opportunistic patch download 
The agent attempts to download patches before a scheduled job runs. 


The option to “Enable opportunistic patch downloads” potentially allows scheduled jobs 
to save time by attempting to download patches, prior to job execution. 


Use the “Quick Actions” menu to view the progress of any job. 


On Demand ce w 2tw81 On-demand 15 0 3 | PM Lab 
Install Job 13,2020 
View Details 
Scheduled - Run Once vew Prosess <= Once, Nov 10 2020 12.. 7 1 0 
Install Job edit 13,2020 
Delete 
Recurring - Monthly Enable 2tw81 Monthly on Second T.. 5 3 0 


Install Job 13,2020 


Verify the status of each host targeted. 


Job Status 
sms ww 


Canceled — Blackout Patch deployment job is canceled on the asset due to blackout window 
Completed 
Downloaded 
Downloading — failed 


Patch deployment job is completed on the asset 
Patch file is successfully downloaded on the asset 


Patch failed to download on the asset 


Not licensed Job manifest cannot be sent as the asset does not have PM license 
Job started Agent has started the job 

Job resumed Asset is restarted and agent has resumed the job 

Job failed Agent encountered an error while executing the job 

Patching Patch job is running on the asset 

Pending Patch job is pending for execution on the asset 

Pending reboot Reboot activity is pending for the asset 

Rebooted Asset is restarted after patch installation 

Timed out Job is timed out 


Assets and patches can be added to a “Recurring” job, both before and after it is 
“Enabled.” Jobs that run only once, cannot be updated once they are enabled. 


Once patch deployment is complete, another patch assessment scan will begin 


automatically and the number of missing and installed patches will be updated for the 


affected host(s). 


57 


Patch Catalog 


The Patch Catalog contains tens of thousands of OS and application patches. Presently 
you can add up to 2000 patches to a single job. 


Click the following URL to view the “Patch Catalog” tutorial: 


PLAY J Lab 15 - https://ior.ad/7SHW 


By default, only the latest (non-superseded) and missing patches are displayed. This is 
done to help you focus on the essential patches required by your host assets. 


K Patch Status: Missing Only Latest Patches (Non-superseded) 
Yes 
$2 Filters v <= 
Patch Status 
[z] Missing 
Installed 
Firefox 79 FF 
Only Latest Patches (Non-superseded) 
Published o QF 
|v] Yes 
Q Java8 Upi JA\ 
Published on Jul 13, 2020 QJ 


To view ALL patches in the catalog, remove (uncheck) the “Missing” and “Non- 
superseded” filter options and then click somewhere outside of the “Filters” drop-down 
menu (to refresh the displayed patches). 
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APP FAMILY Quickly search for specific groups of patches in the Patch Catalog, using 


Windows 


office the faceted search pane on the left. 
Net 
ffice Viewer 
sna Search for patches by: 
39 more 
VENDOR e Application Family 
Microsoft 
popes e Ve n d o r 
Adobe 
ree e Category 
CATEGORY e Type 
Security Patches 
earls e Vendor Severity 


we e Reboot Requirements 


os 
Application 


zea Atun For more sophisticated queries, use Query Tokens and the Qualys 
None Query Language (QQL) in the “Search” field, at the top of the Catalog. 


Important 
Critical 


Moderate Any query entered into the “Search” field will be affected by the 
current filtering options. Be sure to verify the filter options, prior to 


REBOOT REQUIRED Beatie Š 
= submitting queries. 


Patches identified with the “key-shaped” icon, cannot be downloaded by Qualys’ Cloud 
Agent. This is often the case, when patches first require credentials prior to downloads. 


Type the following query into the “Search” field and press the “Enter” key: 


downloadMethod:AcquireFromVendor 


Patch Y downloadMethod: AcquireFromVendor 
Y Filters v 
Microsoft Power BI De... ® X64X.. PBID-200728 
Published on Jul 27, 2020 QBI2835894881 
Microsoft Power BI De... © x64 PBID-200728 
Published on Jul 27, 2020 QBI2835894881 


If attempting to add these patches to a job, they will not be included. 
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The “Rollback” patches in the catalog are candidates for an Uninstall Job. Not all 
patches can be uninstalled. 


Patch v 


isRollback: true <= 
- VP Fitters v 1-50 of 85 


View Details 


Add to Existing Job 
Add to New Job 


A Remove Patch < © x64 MS20-08-IE-4571687 OS 91332 1 0 
= "2020 KB4571687 88 more. 
August 11, 2020-KB45... © xe4 MS20-08-S081-457... OS 373321 1 0 
Published on Aug 10, 2020 KB4571723 Tmore 
Security Monthly Rollu. © x64 MS20-08-MR81-457... OS 91413 1 0 
Published on Aug 10, 2020 K] 7) 209 more. 


Use the ‘isRollback’ query token to list rollback patches: 
isRollback: true 


Patch jobs can also be created and updated from within the PATCHES section of the 
Patch Management application. 
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Prioritized Products List 


Click the “Prioritized Products” button (in the PATCHES section) to view a list of your 
software applications and products, ranked by the number of vulnerabilities each 
product added to your environment. 


@ Qualys 


Patch Management v DASHBOARD PATCHES ASSETS JOBS CONFIGURATION 


Patch Catalog 


88 


Total Patches 


Products at the top of the list are associated with the greatest number of vulnerabilities. 
The Qualys Platform provides the unique capability to target and deploy patches based 
on the relationship between products, patches and their associated vulnerabilities. In 
some cases, applications that contribute a large number of vulnerabilities, are common 
client applications that are relatively resilient to the impact of frequent patching. 


© Qualys. t 
a Zaev] e 
View Related Patches VULNERABILITIES 
— < 
9710 
Windows 7498 
Firefox 3608 
Edge 1856 
Java 1260 
Internet Explorer 718 


Select specific applications from the list and use the “Actions” button to “Create Job 
using Query.” 


A query designed to patch the selected application(s) is constructed automatically (using 
aal). 


Patch jobs of this type will keep the selected products updated when new patches 
become available. Achieve “zero-touch” patching by scheduling this job to run daily, 
weekly, or monthly. 


For more assessment and patching details, enroll in the “Patch Management Self-Paced 
Training” course (qualys.com/learning). 
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VMDR Certification Exam 


Participants in this VMDR training course have the option to take the VMDR Certification 
Exam. This exam is provided through our Learning Management System 
(qualys.com/learning). To take the exam, candidates will need a “learner” account. 


@ Qualys. Training & Certification 


qualys.comilearning 


Login 
Please log in to the Qualys training site. First time users 


need to create an account. 
*Required Field 


*Username: 


* Password: 


Request a new account. <= 


Forgot your password? 


If you would like to take the exam, but do not already have a “learner” account, click the 
“Request a new account” link (above), from the “Qualys Training & Certification” login 
page (qualys.com/learning). 


Once you have created a “learner” account (and for those who already have an 
account), click the following link to access the “QSC 2021 VMDR” course page: 


https://gml.geolearning.com/geonext/qualys/scheduledclassdetails4enroll.geo?&id=22511237827 


© Qualys. Training & Certification 


MyHome~ Learner Information = å- 


Course Catalog: Class Details o 


Close Record 


Course: Qualys VMDR from Asset Management to Remediation - QSC 2021 


To see how a class below fits into your schedule, click View My Class Schedule. 


CLASS DETAILS: QSC 2021 VMDR LAS VEGAS 
Course Name: Qualys VMDR from Asset Management to Remediation - QSC 2021 

QSC 2021 VMDR Las Vegas 

2250729076520210917130358 


Participants at QSC 2021 in Las Vegas, can access the VMDR certification exam 


Class Name: 
Class Code: 
Class Description: 


Contact Name: Phil Niegos 


Private Class: 


Maximum Class 
Capacity: 


Class Cost: 


Session 
Names 


Session 1 


Location 


Las Vegas - 
Bellagio 


Yes 
150 


$0.00 


Classroom Address 1 


Las Vegas - Bellagio - 
Classroom A 


3600 Las Vegas 
Blvd. South. 


Address Times Instructor(s) 
2 


N/A Monday, November 15, 2021 9:00 AM to 5:00 PM 
(America/Los_Angeles) (UTC -07:00) 


Philip Niegos 


= (ee) 


From the “QSC 2021 VMDR” course page, click the “Enroll” button (lower-right corner). 
62 


After successfully completing the course enrollment, click the “Launch” button, for the 
Qualys VMDR Exam. 


@ Qualys. Training & Certification 


My Home~ Learner Information ~ ê- 
9 
Qualys VMDR from Asset Management to Remediation - QSC 2021 Close Record 
Class Name Date Location Instructor(s) 
QSC 2021 VMDR Las Vegas Monday, November 15, 2021 9:00 AM to 5:00 PM (America/Los_Angeles) (UTC -08:00) Las Vegas - Bellagio Philip Niegos 


To access a learning activity, select the activity name and click Launch or Open. 


Activity Name _ Type Score Progress Last Accessed Action 


QSC 2021 VMDR Lab Tutorial Supplement Epaf N/A N/A N/A 


QSC 2021 VMDR Slides Epaf N/A N/A N/A 


VMDR Exam Actual Test N/A Not Attempted N/A 
Launch 


Each candidate is provided five attempts to pass the exam. You may use the course 
presentation slides and lab tutorial supplement to help you answer the exam questions. 
You may also use any of the resources within the Qualys UI (such as the “Help” menu) 
and resources found on the Qualys Community (community.qualys.com) to answer 
exam questions. 


© Qualys. Training & Certification 


MyHome~ Learner Information ê- 
° 
Qualys Vulnerability Management Detection & Response - QSC 2020 [close Record ] 


Progress: Completed Status: Enrolled Required: No Duration: 6 hours 


=> Print Certificate 


Class Name Date Instructor(s) 


VMDR - QSC 2020 Tuesday, November 17, 2020 9:00 AM to 4:00 PM (America/Los_Angeles) (UTC -08:00) Philip Niegos 


To access a learning activity, select the activity name and click Launch or Open. 


Activity Name a Type Score Progress Last Accessed Action 

QSC20 VMDR Lab Tutorial Supplement FA par N/A N/A N/A E 
QSC20 VMDR Presentation Slides Epaf N/A N/A N/A E 
Qualys Vulnerability Management Detection & Response (VMDR) Exam Actual Test 100% Passed 11/3/2020 7:38:14 PM Ey 


With a passing score of 75% (or greater), click the “Print Certificate” button to download 
and print your course exam certificate. 
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VMDR Course Survey and Trial Account 


Please lets us know what you think about the “QSC 2021 VMDR” training course. 
Survey - https://forms.office.com/r/rsy0Aja6Xz 


Would you like a VMDR trial account to practice and experiment with the lessons and 
topics provided in this course? 
Link to Trial - https://www.qualys.com/forms/vmdr 
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Appendix A: Additional VMDR Applications 


While this “VMDR Overview” training course focuses on four Qualys applications (i.e., 
CSAM, VM, TP, and PM), there are more VMDR applications that address and mitigate 
vulnerabilities as well as enforce security policies. 


Security Configuration Assessment (SCA) 


Monitor and assess technical security controls and security-related misconfigurations. 
Qualys Scanners and Agents collect the data points needed to perform host compliance 
assessments. 


Create a New Policy 


EE: Policy from Library: Choose from one of the policies in our library. 


Find the policy that best suits your needs. The SCA policies are certified by the CIS for the CIS benchmarks, which provide secure configuration guidelines 
to identify and remediate the security vulnerabilities for a wide range of technologies. The out of the box policies have controls, pre-configured as per the 
recommendations from the CIS. Click on one of the required CIS policies below, and then click Next to import it. 


Technologies Policies (408) 


DJ AlX6.x 
] AIX7.x 
Amazon Linux 2 AMI Ë Version 8.0 05/17/2020 View Description | View Policy 


" CIS Benchmark for IBM AIX 6.1, v1.1.0 [Scored, Level 1] 


Updated _] Amazon Linux AMI 


cis [C] Apache HTTP Server 2.2.x CIS Benchmark for IBM AIX 6.1, v1.1.0 [Scored, Level 1 and Level 2] 
_| Apache HTTP Server 2.4.x @ Version 7.0 05/17/2020 View Description ! View Policy 
Remote Apache Tomcat 6.x 
[C] Apache Tomcat 7.x 
CIS Benchmark for Apache Tomcat 6.0 v1.0.0 [Scored and Not Scored, Level 1] 

Apache Tomcat 8.x M 

C] Apache Tomcat 9.x i Version 3.0 10/29/2019 View Description | View Policy we 
C Apple Safari 11.x 


LJ Apple Safari 12.x CIS Benchmark for Apache Tomcat 6.0 v1.0.0 [Scored and Not Scored, Level 1 and Level 2] 
] Apple Safari 13.x Ñ Version3 


) 10/29/2019 View Description ! View Policy ad 


Qualys SCA provides over 400 CIS Benchmark Policies for hundreds of OS and 
application technologies. All compliance scans are performed using the "Scan by Policy" 
option. 


Qualys SCA contains a subset of the tools and features found in the Qualys Policy 
Compliance application. For more information and details, please see the Qualys Policy 
Compliance Self-Paced Training Course (qualys.com/learning). 
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CloudView & Cloud Security Assessment (CSA) 


Continuously monitor and assess your PaaS/laaS resources for misconfigurations and 
non-standard deployments. 


ews O A 


Amazon Web Services Google Cloud Microsoft Azure 


With Qualys Cloud Connectors and the Qualys CloudView application, you can 


enumerate your cloud instances and collect metadata from your AWS, Google Cloud, 
and Microsoft Azure accounts: 


Azure Function App Best Practices Policy 


AWS Best Practices Policy 

GCP Best Practices Policy 

GCP Cloud Functions Best Practices Policy 

CIS Amazon Web Services Foundations Benchmark 


Azure Best Practices Policy 


With Qualys Cloud Security Assessment (CSA) you can leverage “out-of-box” policies to 


assess technical controls and identify security-related misconfigurations, for your AWS, 
Azure, and Google accounts. 


Ensure console credentials unused for 90 days or greater are disabled 
Policy : CIS Amazon Web Services Foundations Benchmark 


Ensure access keys unused for 90 days or greater are disabled 


14 
Policy : AWS Best Practices Policy 


Se —' 
Tot@Resources: 31 


TOTAL EVALUATIONS 


E 2.21 


E pass. 1.07K 
@ Fa 1.14K 
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Container Security (CS) 


The Qualys Container Security application uses the same KnowledgeBase as Qualys VM 
and VMDR, to assess and detect vulnerabilities in Docker images and containers. 


Qualys Container Sensor downloads as a Docker image and is installed on a Docker host 
as a container application, right alongside other container applications. 


Presently, there are 3 different types of Container Sensors: 
1. A General Sensor will scan images and containers on a single docker host. 
2. A Registry Sensor will scan images in public and private Docker registries. 


3. ACI/CD Pipeline Sensor (also referred to as a "Build" sensor), scans images 
within your DevOps CI/CD pipeline projects, allowing you to identify and correct 
vulnerable images, during the build process. Integrations with Jenkins and 
Bamboo are presently supported. 
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Another feature in the Qualys Container Security application is Container Runtime 
Security, which provides runtime visibility and protection into container applications. 


This is achieved by instrumenting images with Qualys Container Security components, to 
gather functional and behavioural data about the container's running processes; 
thereby allowing you to create rules and policies that actively block or prevent 
unwanted actions or events. 


JƏul 


@ @ @ @ 


o e889 1° 


@ 1əu18} 


As one example, you could build a policy that prohibits access to sensitive system files, 
such as the shadow or passwd files on a Linux host. 


The instrumentation process places a few binaries into the image at the security layer. 
This application-native instrumentation process provides complete visibility of the 
application inside the container. The instrumentation is very lightweight and provides 
configurable data collection options with low\no impact on application performance. 
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CertView (CERT) 


Qualys CertView provides visibility into certificates and their configurations, across your 
network and enterprise architecture (on-premise and cloud-based). 


CertView leverages Qualys Scanner Appliances to collect all the certificate, vulnerability 
and configuration data required for inventory and analysis, helping you to identify and 
prevent expired and expiring certificates from interrupting business functions. 


Certificate Alert 


CERTIFICATE VIEW 


te www.qualys.com install 


View Certificate 


Qualys CertView also provides the ability to enroll or renew certificates to avoid potential 
service interruptions. 


Certificate Assessment generates certificate instance grades that allow administrators to 
quickly assess server SSL/TLS configurations. 


< Grade Summary: www.ssilabs.com 


Grade Summary for Host Instance 


www.sslilabs.com 
NetScale 


Certificate Details 


Certificate Assessment identifies out-of-policy certificates with weak signatures or key 
lengths and shows you how many certificates were issued by Certificate Authorities (CAs) 
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that have been vetted and approved (per your policy) and how many certificates are self- 
signed or were issued by CAs that have not been authorized to issue certificates in your 
environment. 


For more information and details, please see the Qualys Certificate View video series 
(https://www.qualys.com/training/library/certview/). 


Continuous Monitoring (CM) 


Get alerts when new threats and unexpected changes to your hosts are detected, 
including: 


= New hosts detected within your Qualys subscription. 

= High severity vulnerabilities and vulnerabilities with known exploits detected. 
= New ports and services detected. 

= New or unexpected software applications detected 

= Expiring or vulnerable SSL certificates 


= Remediation tickets that are opened or closed 


LC © - = lò Im 


Host Vulnerability Certificate Port / Service Software Ticket 


CM works in tandem with VM/VMDR: 


=" Deploy Qualys Scanner Appliances and/or activate the VM module for deployed 
Qualys Agents. 


= Schedule frequent or continuous vulnerability scans. 


Qualys CM evaluates rules against your most recent vulnerability scans. Alerts are 
generated as soon as scan results are processed. Certificate rules are evaluated daily, 
and are not based on scans. 


For more information and details, please see the Qualys Continuous Monitoring video 
series (https://www.qualys.com/training/library/continuous-monitoring/). 
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VMDR for Mobile Devices 


Qualys Secure Enterprise Mobility (SEM) provides visibility into your mobile devices by 
collecting their inventory and configuration data. 


Hs Android os ***** g os“ 
Hs Android Things Mi = Macos 
tA a 
ȘI Android TV (é) i! al HE Apple Watch 
B I chrome OS (49) m= E Apple Tv 
E  wearos HM windows10 


Your company's mobile device inventory is added to the Qualys CSAM application, 
providing you with greater insight into mobile devices that are managed vs. unmanaged 
(especially when combined to Qualys Passive Sensor). 


Qualys vulnerability and compliance assessments help to keep your mobile devices 
hardened and secure. Vulnerability assessment tests are provided for both OS and 
applications. 


Compliance assessment examples include: passcode not present, encryption status, 
unauthorized root access (rooted), etc... 


With Qualys SEM, you can perform active device operations, like locking a screen or 
locating a missing device. 
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Appendix B: Prioritization Report Use 
Cases 


The VMDR Prioritization Report provides countless ways to combine Asset Context, 
Vulnerability Age, Real-Time Threat Indicators, and Attack Surface options. Here are a 
couple use cases to demonstrate different approaches to building Prioritization Reports. 


Databases 


Hosts with large data stores are especially impacted by “High Data Loss” vulnerabilities. 


Click the following URL to view the “Prioritization Report Use-Case: Databases” 
tutorial: 


Er? https://ior.ad/7SH7 


Internet Facing Assets 


Hosts with public interfaces are at greater risk because of their exposure to the Internet, 
especially with vulnerabilities that can be exploited without authentication. The risk 
becomes even more significant if the same host has vulnerabilities that can lead to 
privilege escalation. 


Click the following URL to view the “Prioritization Report Use-Case: Internet Facing 
Assets” tutorial: 


Er? https://ior.ad/7SH8 
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